[redhat-lspp] Deleting xfrms
Joy Latten
latten at austin.ibm.com
Mon Feb 12 23:39:57 UTC 2007
I was looking at a patch D.Miller posted for xfrm_audit_log()
and could not help but notice that in pfkey_spddelete() and
xfrm_get_policy() we delete policy first and then check to see if we
have permissions to. Am I missing the original intentions or
is this incorrect? Shouldn't it be check the permissions first and then
call xfrm_policy_bysel_ctx()?
pfkey_spddelete() in af_key.c:
xp = xfrm_policy_bysel_ctx(XFRM_POLICY_TYPE_MAIN,
pol->sadb_x_policy_dir-1,
&sel, tmp.security, 1);
security_xfrm_policy_free(&tmp);
xfrm_audit_log(audit_get_loginuid(current->audit_context), 0,
AUDIT_MAC_IPSEC_DELSPD, (xp) ? 1 : 0, xp, NULL);
if (xp == NULL)
return -ENOENT;
err = 0;
if ((err = security_xfrm_policy_delete(xp)))
goto out;
c.seq = hdr->sadb_msg_seq;
c.pid = hdr->sadb_msg_pid;
c.event = XFRM_MSG_DELPOLICY;
km_policy_notify(xp, pol->sadb_x_policy_dir-1, &c);
xfrm_get_policy() in xfrm_user.c is very similar.
Regards,
Joy
More information about the redhat-lspp
mailing list